Oak Ridge National Lab shuts down Internet, email after cyberattack

DOE laboratory says it was victim of an Advanced Persistent Threat designed to steal technical data

The Oak Ridge National Laboratory, home to one of the world's most powerful supercomputers , has been forced to shut down its email systems and all Internet access for employees since late last Friday, following a sophisticated cyberattack.

The restrictions on Internet access will remain in place until those investigating the attack know that for sure that it has been completely contained, said Barbara Penland, ORNL's director of communications.

The lab is expected to restore external email service sometime on Wednesday, however no attachments will be allowed for the time being.

Penland said several other national laboratories and government organizations were targeted in the same attacks, which appear to have been launched earlier this month.

The measures at Oak Ridge were implemented late on Friday night after initial investigations showed that those behind the attacks were attempting to steal technical data from lab's systems and send it to an external system, Penland said.

So far, though, it appears that no significant amount of data has been stolen. Penland said investigators believe that whoever was behind the attacks managed to steal less than 1GB of data.

Penland said that ther e is nothing to show yet where the attacks originated from or who might have been behind it.

The attacks were launched through phishing emails that were sent to some 573 lab employees. The emails were disguised to appear like it came from the lab's HR department and purported to inform employees of some benefits related changes.

The emails contained a link that employees were asked to click on for further information.

Some employees appear to have clicked on the link resulting in an information-stealing malware program being downloaded on their systems.

Penland did not offer any more details on the malware itself. But a story in Knoxnews.com quoted ORNL director Thom Mason as saying the malware program exploited a zero-day vulnerability in Internet Explorer.

The story quoted Mason as describing the attack as a sophisticated Advanced Persistent Threat (APT), designed to gain a foothold on the lab's networks and then to quietly looking for and steal specific types of information.

"If you look at this APT, it is much more sophisticated than what was being used a few years ago," Mason told Konxnews.com. "Certainly what we've seen is very consistent with the RSA attack," he said referring to an attack on RSA a few weeks ago that resulted in data relating to the company's SecurID two-factor authentication technology being stolen.

Almost all of the lab's 200 IT staff are currently engaged in either investigating the attacks or ensuring that other systems remain available, Penland said. Staff from other national laboratories, are also helping in the investigations, she said. At the moment, the attacks are the subject of an IT investigation only and not a criminal one.

Penland said that the attacks appear to have been directed at ORNL's business systems. The lab's supercomputers, including the world's most powerful system, the 1.75-petaflop Jaguar, have been unaffected by the attacks and continue to operate normally.

As of this afternoon, the attacks appear to have been contained, she added. "Keeping the Internet down is a precaution to make sure that nothing gets out as we investigate further," she said.

The email and Internet shutdown has forced employees to rely on fax machines and phone calls to communicate with the outside world since last Friday, she said.

APTs of the sort described by Mason are highly targeted, low intensity attacks designed to conduct espionage and to steal information from high-value targets. The attacks, many of which are believed to originate in China, were initially targeted at U.S. Air Force and government networks.

Over the last 18 months or so, a growing number of private companies have reported being victims of APTs as well. The most notable was Google , which last year accused China of launch APT attacks against it to steal its IP.

More recently, security vendor RSA claimed that it was the victim of an APT attack after intruders broke into its networks and stole data on its SecurID two-factor authentication technology.

Oak Ridge National Laboratory's status as a Department of Energy funded lab, and the work it is doing especially in the area of supercomputers, makes it a prime target for an APT attack, if that indeed is what happened at the lab, said Rich Mogull, an analyst with Securosis.

The breach described by ORNL certainly appears to fit into the classic mold of an APT attack in which attackers first try to compromise systems using highly targeted phishing mails and then drop zero-day malware to snoop on and steal data, Mogull said

But until more details are released it is hard to know for sure, other analysts said.

"The term 'Advanced Persistent Threat' is definitely being overhyped and used as an excuse way too often, as in 'Well, it wasn't really our fault it was an Advanced Persistent Threat'," said John Pescatore an analyst at Gartner. "Advanced simply means it got past your defenses and persistent means it took you too long to detect it once it got in."

Pete Lindstrom, an analyst with Spire Security, said the tern APT is often used these days as a face saving measure. "The definition of APT is so sufficiently muddled that anyone can claim APT and be right in some sense and wrong in another," he said. "The proof is in the defenses that could have prevented it -- if they are fundamental security measures then the notion of APT has no meaning."

This is the second time that Oak Ridge has fallen victim to a phishing attack. In 2007, hackers gained access to a non-classified database after infecting internal systems via phishing emails.

That compromise resulted in the personal data, including Social Security numbers visitors to the laboratory, being compromised.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com .

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.

Copyright © 2011 IDG Communications, Inc.

Bing’s AI chatbot came to work for me. I had to fire it.
Shop Tech Products at Amazon